EP1483680A2 - Sicheres durchqueren von netzwerkkomponenten - Google Patents

Sicheres durchqueren von netzwerkkomponenten

Info

Publication number
EP1483680A2
EP1483680A2 EP03743203A EP03743203A EP1483680A2 EP 1483680 A2 EP1483680 A2 EP 1483680A2 EP 03743203 A EP03743203 A EP 03743203A EP 03743203 A EP03743203 A EP 03743203A EP 1483680 A2 EP1483680 A2 EP 1483680A2
Authority
EP
European Patent Office
Prior art keywords
ticket
content server
client
proxy
authority
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
EP03743203A
Other languages
English (en)
French (fr)
Other versions
EP1483680B1 (de
EP1483680A4 (de
Inventor
Anatoliy Panasyuk
Andre Kramer
Bradley Pedersen
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Citrix Systems Inc
Original Assignee
Citrix Systems Inc
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Citrix Systems Inc filed Critical Citrix Systems Inc
Publication of EP1483680A2 publication Critical patent/EP1483680A2/de
Publication of EP1483680A4 publication Critical patent/EP1483680A4/de
Application granted granted Critical
Publication of EP1483680B1 publication Critical patent/EP1483680B1/de
Anticipated expiration legal-status Critical
Expired - Lifetime legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/083Network architectures or network communication protocols for network security for authentication of entities using passwords
    • H04L63/0838Network architectures or network communication protocols for network security for authentication of entities using passwords using one-time-passwords
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F17/00Digital computing or data processing equipment or methods, specially adapted for specific functions
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0209Architectural arrangements, e.g. perimeter networks or demilitarized zones

Definitions

  • the present invention relates generally to traversing network components and, more specifically, to providing secure, authenticated traversal of arbitrary network components using next-hop routing and per-hop tickets.
  • a computer system 100 known to the prior art typically includes a client computer 110, a content server proxy 115, and a content server 120.
  • the client computer 110 is typically a personal computer that can download information from the content server 120 over a network 130, such as the Internet or World Wide Web.
  • the content server proxy 115 is typically a security gateway, such as a router, through which messages to and from the content server 120 pass.
  • the content server 120 hosts one or more application programs that can be accessed by the client 110.
  • the client 110 is typically in communication with the content server proxy 115 over a client-proxy communication channel 135.
  • the content server proxy 115 is typically in communication with the content server 120 over a proxy-server communication channel 145.
  • the computer system 100 also typically includes firewalls 150, 160 to prohibit unauthorized communication to/from the content server 120.
  • the client 110 typically gains access to the content server 120 after passing through the firewall 150 of the content server proxy 115 and the firewall 160 of the content server 120.
  • the firewall 150 typically has unrestrained access to the content server proxy 1 15 and, in many cases, to content server 120.
  • the present invention relates to a method and system for authenticating a client to a content server.
  • the method includes the step of generating a ticket, by a ticket authority, associated with the client.
  • the ticket comprises a first ticket and a second ticket.
  • the method also includes the steps of transmitting the first ticket to the client and the client using the first ticket to establish a communication session with a content server proxy.
  • the method also includes the steps of transmitting the second ticket to the content server proxy and the content server proxy using the second ticket to establish a communication session with the content server.
  • the client is authenticated to a web server before the ticket authority generates the ticket associated with the client.
  • the method may also include the step of transmitting the first ticket to a web server and the web server transmitting the first ticket to the client.
  • the ticket authority transmits a disabled second ticket with the first ticket to the client.
  • the ticket authority can also transmit the address of a content server with the transmission of the second ticket to the content server proxy.
  • the system includes a client, a ticket authority, a content server, and a content server proxy.
  • the content server proxy communicates with the client, the ticket authority, and the content server.
  • the ticket authority generates a ticket associated with the client.
  • the ticket comprises a first ticket and a second ticket.
  • the first ticket is transmitted to the client and used to establish a first communication session with the content server proxy.
  • the second ticket is transmitted to the content server proxy and used to establish a second communication session with the content server.
  • the client is authenticated to a web server.
  • the ticket authority can also transmit the second ticket to the web server and the web server transmits the second ticket to the content server for validation.
  • the content server proxy is a secure socket layer relay.
  • FIG. 1 is a block diagram of an embodiment of a prior art communications system.
  • FIG. 2 A is a block diagram of an embodiment of a communications system constructed in accordance with the invention.
  • FIG. 2B is a block diagram of another embodiment of a communications system constructed in accordance with the invention.
  • FIG. 3 is a flow diagram illustrating an embodiment of the operation of the communications system of FIG. 2 A in accordance with the invention.
  • FIG. 4A is a block diagram of another embodiment of a communications system constructed in accordance with the invention.
  • FIG. 4B is a flow diagram illustrating an embodiment of the operation of the communications system of FIG. 4A in accordance with the invention. Detailed Description of the Invention
  • FIG. 2A shows a block diagram of an embodiment of a communications system 205 for secure delivery of content.
  • the communications system 205 includes the client 110, the content server proxy 115, the content server 120, a web server 220, and a ticket authority 225.
  • the communications system 205 also includes the two firewalls 150, 160 which prohibit unauthorized communications to/from the content server 120.
  • the network between the firewalls 150, 160 is often referred to as a "demilitarized zone,” (DMZ) 230.
  • the DMZ 230 includes the content server proxy 115 and the web server 220.
  • the client 110 can be any personal computer (e.g., based on a microprocessor from the x86, 680x0, PowerPC, PA-RISC, MIPS families), smart or dumb terminal, network computer, wireless device, information appliance, workstation, minicomputer, mainframe computer or other computing device that has a graphical user interface.
  • Operating systems supported by the client 110 can include any member of the WINDOWS family of operating systems from Microsoft Corporation of Redmond, Washington, Macintosh operating system, JavaOS, and various varieties of Unix (e.g., Solaris, SunOS, Linux, HP-UX, A/IX, and BSD- based distributions).
  • the client 110 is in communication with the content server proxy 115 over the client-proxy communication channel 135 and also in communication with the web server 220 over the client- web server communication channel 240.
  • the content server proxy 115 is in communication with the ticket authority 225 over a proxy-authority communication channel 245 and the web server 220 is in communication with the ticket authority 225 over a web server-authority communication channel 250.
  • the content server proxy 115 is also in communication with the content server 120 over a proxy-server communication channel 145.
  • the web server 220 can communicate with the content server 120 over an agent-server communication channel 255.
  • the content server 120 can communicate with the ticket authority 225 over a ticket-content server communication channel 257.
  • the respective communication channels 135, 145, 240, 245, 250, 255, 257 are established over the network 130.
  • the client 110 includes a web browser 262, such as INTERNET EXPLORER developed by Microsoft Corporation in Redmond, WA, to connect to the web.
  • a web browser 262 uses the existing Secure Socket
  • SSL Secure Layer
  • IETF Internet Engineering Task Force
  • the client 110 may also include an application client 267 for establishing and exchanging communications with the content server 120 over the client-proxy communication channel 135.
  • the application client 267 is an ICA client, developed by Citrix Systems, Inc. of Fort Lauderdale, Florida, and is hereafter referred to as ICA client 267.
  • the application client 267 include an RDP client, developed by Microsoft Corporation of Redmond, Washington, a data entry client in a traditional client/server application, an ActiveX control, or a Java applet.
  • the output of an application executing on the content server 120 can be displayed at the client 110 via, for example, the application client 267 or the web browser 262.
  • the content server proxy 115 is a security gateway through which messages over the client-proxy communication channel 135 must pass.
  • the network firewall 150 repudiates any incoming message from the client- proxy communication channel 135 that does not have the content server proxy 115 as its destination. Likewise, the network firewall 150 repudiates any outgoing message for the client-proxy communication channel 135 unless its source is the content server proxy 115.
  • the security gateway can alternatively be a router, firewall, relay, or any network component that can provide the necessary security.
  • the content server 120 hosts one or more application programs that are available to the client 110. Applications made available to the client 110 for use are referred to as published applications.
  • Examples of such applications include word processing programs such as MICROSOFT WORD and spreadsheet programs such as MICROSOFT EXCEL, both manufactured by Microsoft Corporation of Redmond, Washington, financial reporting programs, customer registration programs, programs providing technical support information, customer database applications, or application set managers.
  • word processing programs such as MICROSOFT WORD
  • spreadsheet programs such as MICROSOFT EXCEL, both manufactured by Microsoft Corporation of Redmond, Washington
  • customer registration programs programs providing technical support information
  • customer database applications or application set managers.
  • the content server 120 is a video/audio streaming server that can provide streaming audio and/or streaming video to the client 110.
  • the content server 120 is a file server that can provide any/all file types to the client 110.
  • the content server 120 can communicate with the client
  • ICA Citrix Systems, Inc. of Ft. Lauderdale, FL or RDP, from Microsoft Corporation of Redmond, Washington.
  • the content server 120 is a member of a server farm 269, or server network, which is a logical group of one or more servers that are administered as a single entity.
  • a server farm 269 includes multiple content servers 120,
  • the server farm 269 can have any number of servers.
  • the server farm 269 is a protected network that is inaccessible by unauthorized individuals, such as corporate Intranet, Virtual Private Network (VPN), or secure extranet.
  • the servers making up the server farm 269 may communicate over any of the networks described above (e.g., WAN, LAN) using any of the protocols discussed.
  • the ticket authority 225 which in the embodiment shown in FIG. 2A is part of the server farm 269, issues one or more tickets to authenticate the client 110.
  • the ticket authority 225 enables authentication of the client 110 over one communication channel (i.e., the client-web server communication channel 240) based on authentication credentials.
  • the ticket authority 225 further enables the client 1 10 to be authenticated to another communication channel (i.e., client-proxy communication channel 135) without having the client 110 repeatedly provide authentication credentials on the other communication channel.
  • the ticket authority 225 is a stand-alone network component.
  • a modular ticket authority 225, 225', 225" is a software module residing on one or more content servers 120.
  • the web server 220 may communicate with the ticket authority 225 and/or the content server 120 over the agent-server communication channel 255.
  • the ticket authority 225 generates a first ticket and a second ticket.
  • the tickets are both nonces.
  • the tickets are generated using a cryptographic random number generator that has been suitably seeded with randomness.
  • the first ticket is transmitted to the client 110 and is used to establish a first communication session between the client 110 and the content server proxy 115.
  • the second ticket is transmitted to the content server proxy 115 and is used to establish a second communication session between the content server proxy 115 and the content server 120.
  • the DMZ 230 separates the server farm 269 from the components (e.g., content server proxy 115) of the communications system 205 that are accessible by unauthorized individuals.
  • the DMZ 230 is delineated with two firewalls 150, 160 that prohibit unauthorized communication.
  • the first firewall 150 and the second firewall 160 each apply a set of policy rules to determine which messages can traverse the DMZ 230.
  • the first firewall 150 and the second firewall 160 apply the same set of policy rules.
  • the first firewall 150 and the second firewall 160 may apply different sets of policy rules.
  • Each firewall 150, 160 can be a router, computer, or any other network access control device.
  • the communications systems 205 includes one of the firewalls 150, 160 or no firewall 150, 160.
  • the web server 220 delivers web pages to the client 110.
  • the web server 220 can be any personal computer (e.g., Macintosh computer, a personal computer having an Intel microprocessor, developed by Intel Corporation of Santa Clara, California, a personal computer having an AMD microprocessor, developed by Advanced Micro Devices, Inc. of Sunnyvale, California, etc.), Windows-based terminal, Network
  • Wireless device e.g., cellular phone
  • information appliance e.g., RISC Power PC
  • X- device workstation
  • mini computer mini computer
  • main frame computer main frame computer
  • personal digital assistant or other communications device that is capable of establishing the secure client- web server communication channel 240 with the client 110.
  • the web server 220 provides a corporate portal, also referred to as an Enterprise Information Portal, to the client 110.
  • Enterprise portals are company web sites that aggregate, personalize and serve applications, data and content to users, while offering management tools for organizing and using information more efficiently.
  • the web server 220 provides a web portal, or Internet portal, to the client 110.
  • a web portal is similar to a corporate portal but typically does not include business-specific information.
  • the network 130 can be a local-area network (LAN), a wide area network (WAN), or a network of networks such as the Internet or the World Wide Web (i.e., web).
  • the respective communication channels 135, 145, 240, 245, 250, 255, 257 may each be part of different networks.
  • the client-proxy communication channel 135 can belong to a first network (e.g., the World Wide Web) and the client- web server communication channel 240 can belong to a second network (e.g., a secured extranet or Virtual Private Network
  • the client-web server communication channel 240 is any secure communication channel. In some embodiments, communications over channel 240 are encrypted. In certain of these embodiments, the client 110 and the web server 220 may communicate using the Secure Socket Layer (SSL) of the HyperText Transfer Protocol (HTTPS). Alternatively, the client 1 10 and the web server 220 may use other encryption techniques, such as symmetric encryption techniques, to protect communications.
  • SSL Secure Socket Layer
  • HTTPS HyperText Transfer Protocol
  • the client 1 10 and the web server 220 may use other encryption techniques, such as symmetric encryption techniques, to protect communications.
  • Example embodiments of the communication channels 135, 145, 240, 245, 250, 255, 257 include standard telephone lines, LAN or WAN links (e.g., TI, T3, 56kb, X.25), broadband connections (ISDN, Frame Relay, ATM), and wireless connections.
  • the connections over the communication channels 135, 145, 240, 245, 250, 255, 257 can be established using a variety of communication protocols (e.g., HTTP, HTTPS, TCP/IP, IPX,
  • SPX SPX
  • NetBIOS NetBIOS
  • Ethernet RS232
  • messaging application programming interface (MAPI) protocol real-time streaming protocol
  • RTSP real-time streaming protocol used for user datagram protocol scheme
  • RPSPU real-time streaming protocol used for user datagram protocol scheme
  • PPM Progressive Networks Multimedia protocol developed by RealNetworks, Inc. of Seattle, WA
  • MMS manufacturing message specification
  • the client-proxy communication channel 135 can be established by using, for example, a presentation services protocol such as Independent
  • ICA Computing Architecture
  • TCP/IP Transmission Control Protocol
  • IPX/SPX IPX/SPX
  • NetBEUI industry-standard transport protocols
  • ISDN ISDN
  • frame relay frame relay
  • ATM asynchronous transfer mode
  • the ICA protocol provides for virtual channels, which are session-oriented transmission connections that can be used by application-layer code to issue commands for exchanging data.
  • the client-proxy communication channel 135 can be established using the thin X protocol or the Remote Display Protocol (RDP), developed by Microsoft Corporation of Redmond, Washington.
  • RDP Remote Display Protocol
  • the communication session can be viewed as a single, logical communication session between the client 110 and the content server 120.
  • a user of the client 110 employs the web browser 262 to authenticate the user to the web server 220.
  • the client 110 transmits user credentials, such as login and password information, to the web server 220.
  • the web server 220 verifies that the user has access to the server network 269.
  • the web browser 262 uses SSL to establish the secure client-web server communication channel 240.
  • the web browser 262 can alternatively connect to the web server 220 over the client-web server communication channel 240 using other security protocols, such as, but not limited to, Secure Hypertext Transfer Protocol (SHTTP) developed by Terisa Systems of Los Altos, CA, HTTP over SSL (HTTPS), Private Communication Technology (PCT) developed by Microsoft Corporation of Redmond, Washington, and the Transport Level Security (TLS) standard promulgated by the Internet
  • SSL Secure Hypertext Transfer Protocol
  • HTTPS Hypertext Transfer Protocol
  • PCT Private Communication Technology
  • TLS Transport Level Security
  • the web server 220 transmits a web portal or enterprise portal, as described above, to the client 110 upon validation of the user to enable the client 110 to request an application or a server desktop, for example, to be remotely displayed on the client 1 10.
  • the client user requests (step 300) content
  • the client 110 uses the web browser 262 to request an application and the web server 220 then authenticates the user.
  • the web server 220 validates (step 305) the request with the ticket authority 225.
  • the ticket authority 225 then generates (step 310) a ticket, which includes a first ticket, or client ticket, and a second ticket, or content server proxy ticket.
  • the first and second tickets are "one-time use" tickets having no further value after their first use.
  • the first and second tickets must be used within a predetermined time period.
  • the ticket authority 225 stores the first and second tickets in memory (e.g., RAM) until the ticket is used.
  • the ticket authority 225 stores the first and second tickets in a storage device (not shown) until the ticket is used.
  • the storage device may include, for example, a database or a persistent memory (e.g., on a floppy disk, hard disk drive).
  • the ticket authority 225 subsequently transmits (step 315) the client ticket to the web server 220 and the web server 220 then forwards (step 320) the client ticket to the client 110.
  • the client 110 then initiates (step 325) a communication session with the content server proxy 115 by transmitting a proxy connection request over the client-proxy communication channel 135.
  • the proxy connection request includes the client ticket.
  • the proxy connection request also includes a dummy password that can be replaced by the content server proxy 115 when establishing a communication session with the content server 120.
  • the web server 220 transmits the dummy password to the client 110 for future generation of a proxy connection request having a format acceptable to the content server proxy 115.
  • the content server proxy 1 15 then extricates (step 330) the client ticket from the proxy connection request and forwards the client ticket to the ticket authority 225 for validation.
  • the ticket authority 225 then validates
  • the ticket authority 225 verifies the first ticket by searching its storage device (e.g., database) for the first expected ticket. [0040] If the ticket authority 225 does not find the first ticket in the storage device (such as if the first ticket has been used already), the ticket authority 225 ends the communication session. If the received ticket matches the client ticket that the ticket authority 225 expects, the client ticket is validated. The ticket authority 225 then transmits (step 340) the second or content server proxy ticket to the content server proxy 115. Additionally, the ticket authority
  • the ticket authority 225 deletes the client ticket from the storage device, as the client ticket has now been used once.
  • the ticket authority 225 also transmits the Internet protocol (IP) address of the content server 120 to the content server proxy 115.
  • the ticket authority 225 transmits the domain name of the content server 120 to the content server proxy 115 for future conversion into the IP address.
  • IP Internet protocol
  • the content server proxy 115 receives the second or content server proxy ticket and subsequently opens communications across the proxy-server communication channel 145 by transmitting (step 345) the second ticket to the content server 120.
  • the content server 120 receives the content server proxy ticket and then transmits the ticket over the ticket- content server communication channel 98 to the ticket authority 255 for validation (step 347).
  • the ticket authority 225 determines that the content server proxy ticket received from the content server 120 has been used previously or does not have the correct value (i.e., the same value as the value stored in the associated storage device) to transmit an error message to the content server proxy 115 (or the web server 220) to terminate the established communication session with the client 110. If the ticket authority 225 validates the content server proxy ticket (step 348), the content server 120 then launches (step 350) the ICA published application. The content server 120 then transmits application information to the content server proxy 115 (step 353) for remote displaying of the application on the client 110 (step 355) using the ICA client 267.
  • the client 110 launches the ICA client 267 when initiating communications with the content server proxy 115 in step 325.
  • the client 1 10 launches the ICA client 267 when the client 110 receives the application information from the content server proxy 115 in step 353.
  • the client 110 is not aware of the content server proxy ticket but only the client ticket. Moreover, the ICA client 267 cannot access the content server 120 without communicating with the content server proxy 115 (and presenting the client ticket). [0044]
  • the ticket authority 225 could also transmit the content server proxy ticket to the content server proxy 115 in step 340 as the user password for the user of the client 110. This allows the content server proxy 115 to use the content server proxy ticket as the login password to gain access to the content server 120 without exposing the user's login password over the untrusted part of the web (i.e., the non-secure client-proxy communication channel
  • the communications system 205 could include a centralized password mapping database managed by the ticket authority 225 and collocated with the content server 120 to map the content server proxy ticket with a user's password.
  • the password can accompany both tickets (i.e., the content server proxy ticket and the client ticket) or the password can accompany one of the two tickets.
  • the password can be a system password that does not change in value or may be a one-time use password, such as those generated by SecurlD tokens developed by RSA Security Inc. of Bedford,
  • the invention can be expanded to a communications system having any number of content server proxies 115, or "hops", that the client 110 has to communicate with before establishing a communication session with the content server 120.
  • a hop can be any network component, such as a firewall, router, and relay.
  • a four-hop example is a communication system 405 having a first content server proxy 115', a second content server proxy 115", and a third content server proxy 115'" (generally 115).
  • the content server proxies 115 communicate over a proxy-proxy communication channel, such as a first proxy-proxy communication channel 410' and a second proxy-proxy communication channel 410" (generally proxy-proxy communication channel 410).
  • the client 110 communicates with the first content server proxy 115 ' which communicates with the second content server proxy 115".
  • the second content server proxy 115" communicates with the third content server proxy 115'" and then the third content server proxy 115'" communicates with the content server 120 over the proxy-server communication channel 145 to establish the communication session with the content server 120.
  • the embodiment described above includes a ticket having a client ticket and a content server proxy ticket, another embodiment includes the ticket comprising numerous tickets.
  • the web server 220 receives a request from the client 110 for an application and the web server 220 validates the request with the ticket authority 225 (step 405).
  • the ticket authority 225 then generates an N part ticket (e.g.,
  • the ticket authority 225 then transmits a portion Tj of the N part ticket (e.g., the first part of the ticket, or first ticket Ti) to the web server 220 (step 415).
  • the web server 220 then transmits the ticket Ti to the client 110 (step 420).
  • the ticket authority 225 also transmits the address of the next "hop" (e.g., the first content server proxy 115 ') to the web server 220, which then transmits the address to the client 110. This address is the address of the next hop (e.g., content server proxy 115) that this hop (e.g., client 110) needs to communicate with for the client 110 to eventually be authenticated to the content server 120.
  • the client 110 uses the address to then contact the next "hop" (e.g., first content server proxy 115') and initiates a communication session with the first content server proxy
  • the ticket authority 225 Upon proper verification of the first ticket Tj, the ticket authority 225 transmits the next ticket T, from the N part ticket (e.g., T ) to the next content server proxy 115 (e.g., first content server proxy 115') (step 440).
  • N part ticket e.g., T
  • next content server proxy 115 e.g., first content server proxy 115'
  • the ticket authority 225 also transmits the address of the next hop (e.g., the second content server proxy 115") to this hop (e.g., the first content server proxy 115').
  • the first content server proxy 115' transmits this ticket to the next hop (e.g., the second content server proxy 115") (step 445).
  • the second content server proxy 1 15" verifies T 2 by transmitting the ticket to the ticket authority 225 (step 450).
  • the ticket authority 225 validates the second ticket T 2 (step 455) and the process continues, as shown in steps 460 through 475. Once the last part of the N part ticket has been validated, steps 350 through 355 occur, as shown in FIG. 3, to launch the application on the client 110.
  • each content server proxy 115 validates Tj (e.g., T 2 ) with a ticket authority 225 associated with the content server proxy 115 (i.e., hop).
  • Tj e.g., T 2
  • ticket authority 225 associated with the content server proxy 115
  • the ticket authority 225 at which the validation took place transmits the next ticket Tj+i (e.g., T ) and the address of the next content server proxy 115 (i.e., the next "hop" destination) to the content server proxy 115 that had validated the ticket Tj.
  • each content server proxy 115 is associated with a ticket authority 225 that has been configured with the current and next hop tickets (i.e., validating Tj and transmitting Tj + i for the next hop). Consequently, the next content server proxy 115 acts as the client for that hop. This process is repeated until reaching the content server 120 in the communications system 405. Thus, each hop has been validated individually without revealing all of the ticket to any one hop.
  • the ticket authority 225 may issue more than one ticket rather than issuing one ticket having many parts. For example, the ticket authority 225 generates a first hop ticket and a second hop ticket in step 410, where the first hop ticket has no association with the second hop ticket. The ticket authority 225 subsequently transmits the first hop ticket to the web server 220 and the web server 220 transmits the first hop ticket to the client 110. The client 110 transmits this first hop ticket to the content server proxy 115 (e.g., first content server proxy 115') for validation by the ticket authority 225. Upon validation in step 435, the ticket authority 225 transmits in step 440 the second hop ticket to the next content server proxy 115 (e.g., second content server proxy 115") while the first hop ticket is independent from the second hop ticket.
  • the content server proxy 115 e.g., first content server proxy 115
  • one or more of the ticket authorities 225 provides the content server proxies 115 with any necessary information needed to connect to the next hop, such as, but without limitation, encryption keys, SSL method configuration information, and authentication information to connect to a SOCKS server (e.g., SOCKS5 server, developed by NEC Corporation of Tokyo, Japan).
  • SOCKS server e.g., SOCKS5 server, developed by NEC Corporation of Tokyo, Japan.
  • a ticket authority 225 only generates a single ticket.
  • the ticket authority 225 transmits the single ticket to the web server 220.
  • the web server 220 forwards the single ticket to the client 110.
  • the content server proxy 115 subsequently receives the ticket from the client 110 and "consumes" the single ticket upon validation.
  • the communications system 205 can use a single ticket to provide the ability to use arbitrary communication protocols over the client-proxy communication channel 135 and the client-web server communication channel 240.
  • the content server 120 does not receive or verify the single ticket, the ticket is transparent to the content server 120 and, consequently, the content server 120 is not "aware" of the use of the ticket.
  • the communications system 205 By exploiting the security of the secure communications between the client 110 and the web server 220 over the secure client-web server communication channel 240, the communications system 205 establishes a secure communication link over the non-secure client-proxy communication channel 135 to remotely display desktop applications securely on the client 110.
  • the ticket authority 225 transmits in step 315 a disabled version of the content server proxy ticket with the client ticket to the web server 220 for transmission to the client 110.
  • the client 110 subsequently transmits (step 325) the content server proxy ticket along with the client ticket to the content server proxy 115 as part of the proxy connection request.
  • the content server proxy 115 then forwards both tickets to the ticket authority 225.
  • the ticket authority 225 Upon receiving a disabled content server proxy ticket, the ticket authority 225 enables the content server proxy ticket after validating the client ticket.
  • the ticket authority 225 transmits the enabled content server proxy ticket to the content server proxy 115 for authentication to the content server 120.
  • the web server 220 receives a disabled content server proxy ticket and an enabled client ticket from the ticket authority 225 and only transmits the client ticket to the client 110.
  • the client 110 transmits (step 325) the client ticket to the content server proxy 115 as part of the proxy connection request.
  • the content server proxy 115 then forwards the client ticket to the ticket authority 225.
  • the ticket authority 225 validates the client ticket and, upon validation, enables the content server proxy ticket previously transmitted to the web server 220.
  • the ticket authority 225 transmits an enabled content server proxy ticket to the web server 220 upon validation of the client ticket for authentication to the content server 120.
  • the ticket authority 225 provides only one ticket that is enabled to the client 110 or content server proxy 115 that the ticket authority 225 can validate.
  • the ticket authority 225 may provide another ticket that can't be validated (i.e., a disabled ticket) until the enabled ticket is validated.
  • the ticket authority 225 may not transmit the content server proxy ticket to the content server proxy 115 until the ticket authority 225 validates the enabled ticket.
  • this enforces network routing of communications using the communications system 205 because the client 110 cannot traverse the web server 220 or the content server proxy 115 without having the ticket authority 225 validate the enabled ticket and transmit the ticket needed to communicate with the content server 120.
  • the ticket authority 225 instead of transmitting the content server proxy ticket to the content server proxy 115 as in step 340, transmits the content server proxy ticket to the web server 220 directly over the web server-authority communication channel 250. The web server 220 then automatically transmits the content server proxy ticket to the content server 120. In other words, the web server 220 "pushes" the content server proxy ticket to the content server 120. The ticket authority 225 can also push the content server proxy ticket to the content server 120 without transmission of the content server proxy ticket to the content server proxy 115 or the web server 220.
  • the content server 120 retrieves the content server proxy ticket from the ticket authority 225 over the ticket-content server communication channel 257. In other words, the content server 120 "pulls" the content server proxy ticket from the ticket authority 225.
  • the above examples are illustrations of techniques used to eliminate step 345 (while modifying the destination of the transmission in step 340).
  • the invention enforces the routing of the client 110 through the content server proxy 115.
  • the client 110 has to possess the content server proxy ticket to establish a communication session with the content server 120. More specifically, to establish a connection with the content server 120, the web server 220 first has to validate the request of the client 110 with the ticket authority 225. Once validated, the client 110 obtains the first ticket and transmit this first ticket to the ticket authority 225 for validation. However, upon validation, the ticket authority 225 transmits the content server proxy ticket back to the content server proxy 115 rather than the client 110. The communication session between the client 110 and the content server 130 is established when the content server 130 receives the content server proxy ticket.
  • the client 110 has to communicate with the content server proxy 115 in order to have the content server proxy ticket transmitted to the content server 130, thereby enforcing the routing of the client 1 10 through the content server proxy 115.
  • the invention can ensure the proper traversal of a security device (e.g., the content server proxy 115) before granting access to the content server 120.
  • a content server 120 executes several applications, such as MICROSOFT WORD and MICROSOFT EXCEL, both developed by Microsoft Corporation of Redmond, Washington.
  • the client 110 uses NFUSE, developed by Citrix Systems, Inc. of Fort Lauderdale, Florida, to obtain information from the server farm 269 on which applications can be accessed by the client 110. If a client user wants to access and use MICROSOFT WORD, the client 110 requests the application from the web server 220. However, only users who pay an application fee for MICROSOFT WORD can become authorized to access the application.
  • the communications system 205 includes the content server proxy 115 and the ticket authority 225 to enforce the routing of the client 110 through the content server proxy 115.
  • the routing of the client 110 through the content server proxy 115 is valuable to the application provider if the content server proxy 115 is used to collect the application fee and authorize the user for access to the application.
  • the ticket authority 225 subsequently generates a ticket associated with the request for the application. An enabled first ticket is then transmitted to the client 110. Because the client 110 does not have the address of the content server 120, the client 110 cannot access the application. Further, the client 110 has not been authorized by the content server proxy 115 yet (i.e., has not yet paid). Thus, the client 110 has to communicate with the content server proxy 115 to become authorized. The content server proxy 115 can then transmit the enabled first ticket to the ticket authority 225 upon payment of the application fee. [0065] The ticket authority then validates the client ticket and subsequently transmits (or enables) a content server proxy ticket to the proxy 115.
  • the content server proxy 115 then transmits the content server proxy ticket to the content server 120 (e.g., assuming the client user has paid the application fee), which enables the content server 120 to transmit the application to the client 110.
  • the communications system 205 may also use Application Launching And Embedding (ALE) technology, developed by Citrix Systems, Inc., to enable the launching of the application from or the embedding of the application into an HTML page for delivery to the client 110.
  • ALE Application Launching And Embedding

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • General Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Physics & Mathematics (AREA)
  • Software Systems (AREA)
  • Computing Systems (AREA)
  • General Physics & Mathematics (AREA)
  • Mathematical Physics (AREA)
  • Databases & Information Systems (AREA)
  • Data Mining & Analysis (AREA)
  • Information Transfer Between Computers (AREA)
  • Computer And Data Communications (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Transition And Organic Metals Composition Catalysts For Addition Polymerization (AREA)
  • Glass Compositions (AREA)
  • Low-Molecular Organic Synthesis Reactions Using Catalysts (AREA)
  • Storage Device Security (AREA)
  • Regulating Braking Force (AREA)
  • Radar Systems Or Details Thereof (AREA)
EP03743203A 2002-02-26 2003-02-21 Sicheres durchqueren von netzkomponenten Expired - Lifetime EP1483680B1 (de)

Applications Claiming Priority (3)

Application Number Priority Date Filing Date Title
US10/083,324 US7661129B2 (en) 2002-02-26 2002-02-26 Secure traversal of network components
US83324 2002-02-26
PCT/US2003/005475 WO2003073216A2 (en) 2002-02-26 2003-02-21 Secure traversal of network components

Publications (3)

Publication Number Publication Date
EP1483680A2 true EP1483680A2 (de) 2004-12-08
EP1483680A4 EP1483680A4 (de) 2008-12-17
EP1483680B1 EP1483680B1 (de) 2010-11-24

Family

ID=27753279

Family Applications (1)

Application Number Title Priority Date Filing Date
EP03743203A Expired - Lifetime EP1483680B1 (de) 2002-02-26 2003-02-21 Sicheres durchqueren von netzkomponenten

Country Status (10)

Country Link
US (1) US7661129B2 (de)
EP (1) EP1483680B1 (de)
JP (1) JP2005518595A (de)
KR (1) KR20040089648A (de)
AT (1) ATE489679T1 (de)
AU (1) AU2003231961C1 (de)
CA (1) CA2476534A1 (de)
DE (1) DE60335085D1 (de)
IL (1) IL163623A0 (de)
WO (1) WO2003073216A2 (de)

Families Citing this family (61)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7117239B1 (en) 2000-07-28 2006-10-03 Axeda Corporation Reporting the state of an apparatus to a remote computer
US7185014B1 (en) 2000-09-22 2007-02-27 Axeda Corporation Retrieving data from a server
US8108543B2 (en) 2000-09-22 2012-01-31 Axeda Corporation Retrieving data from a server
US20050198379A1 (en) * 2001-06-13 2005-09-08 Citrix Systems, Inc. Automatically reconnecting a client across reliable and persistent communication sessions
US7254601B2 (en) 2001-12-20 2007-08-07 Questra Corporation Method and apparatus for managing intelligent assets in a distributed environment
US7984157B2 (en) * 2002-02-26 2011-07-19 Citrix Systems, Inc. Persistent and reliable session securely traversing network components using an encapsulating protocol
US7661129B2 (en) 2002-02-26 2010-02-09 Citrix Systems, Inc. Secure traversal of network components
US7222175B2 (en) * 2002-02-28 2007-05-22 Intel Corporation Dynamically configurable beacon intervals for wireless LAN access points
US7962644B1 (en) * 2002-03-18 2011-06-14 Oracle International Corporation Systems and methods for handling a plurality of communications
US7178149B2 (en) 2002-04-17 2007-02-13 Axeda Corporation XML scripting of soap commands
US20040064725A1 (en) * 2002-09-18 2004-04-01 Microsoft Corporation Method and system for detecting a communication problem in a computer network
US7966418B2 (en) 2003-02-21 2011-06-21 Axeda Corporation Establishing a virtual tunnel between two computer programs
US7308504B2 (en) * 2003-07-07 2007-12-11 Sun Microsystems, Inc. System and method for dynamically disabling partially streamed content
JP2005064770A (ja) * 2003-08-11 2005-03-10 Ricoh Co Ltd 情報処理装置、認証装置、外部装置、証明情報取得方法、認証方法、機能提供方法、証明情報取得プログラム、認証プログラム、機能提供プログラム及び記録媒体
US7447797B2 (en) * 2003-10-29 2008-11-04 International Business Machines Corporation Method and system for processing a service request associated with a particular priority level of service in a network data processing system using parallel proxies
US20050198058A1 (en) * 2004-03-04 2005-09-08 International Business Machines Corporation Services offering delivery method
US7565438B1 (en) 2004-03-30 2009-07-21 Sprint Communications Company L.P. Digital rights management integrated service solution
US20050257196A1 (en) * 2004-05-17 2005-11-17 Gideon Hollander System and method for developing new services from legacy computer applications
EP1797723A1 (de) * 2004-10-05 2007-06-20 Vectormax Corporation Videokompressionssystem
JP4938673B2 (ja) * 2004-10-15 2012-05-23 ベリサイン・インコーポレイテッド ワンタイムパスワード
US7450128B2 (en) * 2004-11-15 2008-11-11 Hewlett-Packard Development Company, L.P. Systems and methods of providing image copy and modify commands to a receiver with an associated display
US7937753B2 (en) * 2005-03-25 2011-05-03 Microsoft Corporation Method and apparatus for distributed information management
US7817849B2 (en) * 2005-08-18 2010-10-19 Hewlett-Packard Development Company, L.P. Method and apparatus for graphical data compression
WO2007035655A2 (en) 2005-09-16 2007-03-29 The Trustees Of Columbia University In The City Of New York Using overlay networks to counter denial-of-service attacks
US8250151B2 (en) * 2005-10-12 2012-08-21 Bloomberg Finance L.P. System and method for providing secure data transmission
JP4670598B2 (ja) * 2005-11-04 2011-04-13 日本電気株式会社 ネットワークシステム、プロキシサーバ、セッション管理方法、及びプログラム
US9258124B2 (en) * 2006-04-21 2016-02-09 Symantec Corporation Time and event based one time password
US8332925B2 (en) 2006-08-08 2012-12-11 A10 Networks, Inc. System and method for distributed multi-processing security gateway
US8079077B2 (en) * 2006-08-08 2011-12-13 A10 Networks, Inc. System and method for distributed multi-processing security gateway
US20080075096A1 (en) * 2006-09-22 2008-03-27 Enthenergy, Llc Remote access to secure network devices
US8370479B2 (en) 2006-10-03 2013-02-05 Axeda Acquisition Corporation System and method for dynamically grouping devices based on present device conditions
EP2087698B1 (de) * 2006-11-08 2015-02-25 Orange Verfahren zur Herstellung einer gesicherten Verbindung und entsprechende MFC-Ausrüstung und Computersoftware-Programm
US8065397B2 (en) 2006-12-26 2011-11-22 Axeda Acquisition Corporation Managing configurations of distributed devices
US8020195B2 (en) * 2007-03-30 2011-09-13 Citrix Systems, Inc. Systems and methods for user login
US9455969B1 (en) 2007-06-18 2016-09-27 Amazon Technologies, Inc. Providing enhanced access to remote services
US8312154B1 (en) * 2007-06-18 2012-11-13 Amazon Technologies, Inc. Providing enhanced access to remote services
US8181238B2 (en) * 2007-08-30 2012-05-15 Software Ag Systems and/or methods for streaming reverse HTTP gateway, and network including the same
US8683033B2 (en) * 2007-09-17 2014-03-25 International Business Machines Corporation Apparatus, system, and method for server failover to standby server during broadcast storm or denial-of-service attack
US8548467B2 (en) 2008-09-12 2013-10-01 Qualcomm Incorporated Ticket-based configuration parameters validation
US8862872B2 (en) * 2008-09-12 2014-10-14 Qualcomm Incorporated Ticket-based spectrum authorization and access control
US9148335B2 (en) * 2008-09-30 2015-09-29 Qualcomm Incorporated Third party validation of internet protocol addresses
CN101674268A (zh) * 2009-09-25 2010-03-17 中兴通讯股份有限公司 接入因特网控制装置及其方法、网关
DE102009051383A1 (de) * 2009-10-30 2011-05-12 Siemens Aktiengesellschaft Verfahren und Vorrichtung zum sicheren Übertragen von Daten
US9054913B1 (en) 2009-11-30 2015-06-09 Dell Software Inc. Network protocol proxy
KR101027725B1 (ko) * 2009-12-29 2011-04-12 주식회사 피앤피시큐어 가용성 보장을 위한 프록시 기반의 보안시스템
JP5375976B2 (ja) * 2010-01-22 2013-12-25 富士通株式会社 認証方法、認証システムおよび認証プログラム
US8719910B2 (en) * 2010-09-29 2014-05-06 Verizon Patent And Licensing Inc. Video broadcasting to mobile communication devices
US9118618B2 (en) 2012-03-29 2015-08-25 A10 Networks, Inc. Hardware-based packet editor
US9596286B2 (en) 2012-05-25 2017-03-14 A10 Networks, Inc. Method to process HTTP header with hardware assistance
US8949596B2 (en) * 2012-07-10 2015-02-03 Verizon Patent And Licensing Inc. Encryption-based session establishment
US9525588B2 (en) 2012-08-14 2016-12-20 Empire Technology Development Llc Push content to a currently utilized device among client devices
WO2014034001A1 (ja) * 2012-08-31 2014-03-06 パナソニック株式会社 Webコンテンツ先読み制御装置、Webコンテンツ先読み制御プログラム、及びWebコンテンツ先読み制御方法
US10021174B2 (en) 2012-09-25 2018-07-10 A10 Networks, Inc. Distributing service sessions
KR101692751B1 (ko) 2012-09-25 2017-01-04 에이10 네트워크스, 인코포레이티드 데이터망 부하 분산
US10027761B2 (en) 2013-05-03 2018-07-17 A10 Networks, Inc. Facilitating a secure 3 party network session by a network device
US9106620B2 (en) 2013-11-14 2015-08-11 Comcast Cable Communications, Llc Trusted communication session and content delivery
CN105940644B (zh) * 2013-12-02 2019-11-12 阿卡麦科技公司 在保持端对端数据安全的同时具有分发优化的虚拟专用网络(vpn)即服务
US10020979B1 (en) 2014-03-25 2018-07-10 A10 Networks, Inc. Allocating resources in multi-core computing environments
US9806943B2 (en) 2014-04-24 2017-10-31 A10 Networks, Inc. Enabling planned upgrade/downgrade of network devices without impacting network sessions
US11025672B2 (en) * 2018-10-25 2021-06-01 Palantir Technologies Inc. Approaches for securing middleware data access
US11783062B2 (en) 2021-02-16 2023-10-10 Microsoft Technology Licensing, Llc Risk-based access to computing environment secrets

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2001015377A1 (en) * 1999-08-23 2001-03-01 Encommerce, Inc. Multi-domain access control
US20010000358A1 (en) * 1998-06-12 2001-04-19 Kousei Isomichi Gateway system and recording medium
WO2001074026A1 (de) * 2000-03-27 2001-10-04 E-Plus Mobilfunk Gmbh & Co. Kg Kundenidentifizierungsverfahren für personalisierbare internet portale auf basis der rufnummer

Family Cites Families (240)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US4438511A (en) 1980-11-10 1984-03-20 Telebit Corporation Packetized ensemble modem
US4649510A (en) 1982-04-30 1987-03-10 Schmidt Walter E Methods and apparatus for the protection and control of computer programs
GB2168831B (en) 1984-11-13 1988-04-27 Dowty Information Services Lim Password-protected data link
US4768190A (en) 1986-04-30 1988-08-30 Og Corporation Packet switching network
US4736369A (en) 1986-06-13 1988-04-05 International Business Machines Corp. Adaptive session-level pacing
US4750171A (en) 1986-07-11 1988-06-07 Tadiran Electronics Industries Ltd. Data switching system and method
US4941089A (en) 1986-12-12 1990-07-10 Datapoint Corporation Input/output network for computer system
US5390297A (en) 1987-11-10 1995-02-14 Auto-Trol Technology Corporation System for controlling the number of concurrent copies of a program in a network based on the number of available licenses
US5021949A (en) 1988-02-29 1991-06-04 International Business Machines Corporation Method and apparatus for linking an SNA host to a remote SNA host over a packet switched communications network
US4893307A (en) 1988-02-29 1990-01-09 International Business Machines Corporation Method and apparatus for linking SNA terminals to an SNA host over a packet switched communications network
US4837800A (en) 1988-03-18 1989-06-06 Motorola, Inc. Cellular data telephone system and cellular data telephone therefor
JP2643978B2 (ja) 1988-04-23 1997-08-25 株式会社ケンウッド パケットデータ生成装置
US4924378A (en) 1988-06-13 1990-05-08 Prime Computer, Inc. License mangagement system and license storage key
US4953159A (en) 1989-01-03 1990-08-28 American Telephone And Telegraph Company Audiographics conferencing arrangement
US5349678A (en) 1991-08-21 1994-09-20 Norand Corporation Versatile RF data capture system
DE69030340T2 (de) 1989-02-24 1997-11-20 Digital Equipment Corp Makler für die Auswahl von Rechnernetzwerkservern
US4912756A (en) 1989-04-07 1990-03-27 Unilink Corporation Method and apparatus for error-free digital data transmission during cellular telephone handoff, etc.
US5220501A (en) 1989-12-08 1993-06-15 Online Resources, Ltd. Method and system for remote delivery of retail banking services
CA2048306A1 (en) 1990-10-02 1992-04-03 Steven P. Miller Distributed configuration profile for computing system
US5212806A (en) 1990-10-29 1993-05-18 International Business Machines Corporation Distributed control methods for management of migrating data stations in a wireless communications network
US5159592A (en) 1990-10-29 1992-10-27 International Business Machines Corporation Network address management for a wired network supporting wireless communication to a plurality of mobile users
US5181200A (en) 1990-10-29 1993-01-19 International Business Machines Corporation Handoff method and apparatus for mobile wireless workstation
CA2040234C (en) 1991-04-11 2000-01-04 Steven Messenger Wireless coupling of devices to wired network
US5204897A (en) 1991-06-28 1993-04-20 Digital Equipment Corporation Management interface for license management system
US5504814A (en) 1991-07-10 1996-04-02 Hughes Aircraft Company Efficient security kernel for the 80960 extended architecture
US5224098A (en) 1991-07-17 1993-06-29 International Business Machines Corporation Compensation for mismatched transport protocols in a data communications network
US5481721A (en) 1991-07-17 1996-01-02 Next Computer, Inc. Method for providing automatic and dynamic translation of object oriented programming language-based message passing into operation system message passing using proxy objects
US5241542A (en) 1991-08-23 1993-08-31 International Business Machines Corporation Battery efficient operation of scheduled access protocol
DE4131133B4 (de) 1991-09-19 2005-09-08 Robert Bosch Gmbh Verfahren und Vorrichtung zum Austausch von Daten in Datenverarbeitungsanlagen
US5210753A (en) 1991-10-31 1993-05-11 International Business Machines Corporation Robust scheduling mechanm for efficient band-width usage in muliticell wireless local networks
US5610595A (en) 1991-12-09 1997-03-11 Intermec Corporation Packet radio communication system protocol
US5359721A (en) 1991-12-18 1994-10-25 Sun Microsystems, Inc. Non-supervisor mode cross address space dynamic linking
AU3944793A (en) 1992-03-31 1993-11-08 Aggregate Computing, Inc. An integrated remote execution system for a heterogenous computer network environment
US5412717A (en) 1992-05-15 1995-05-02 Fischer; Addison M. Computer system security method and apparatus having program authorization information data structures
US6026452A (en) 1997-02-26 2000-02-15 Pitts; William Michael Network distributed site cache RAM claimed as up/down stream request/reply channel for storing anticipated data and meta data
US5265159A (en) 1992-06-23 1993-11-23 Hughes Aircraft Company Secure file erasure
US5442633A (en) 1992-07-08 1995-08-15 International Business Machines Corporation Shortcut network layer routing for mobile hosts
US5307490A (en) 1992-08-28 1994-04-26 Tandem Computers, Inc. Method and system for implementing remote procedure calls in a distributed computer system
US5325361A (en) 1992-12-01 1994-06-28 Legent Corporation System and method for multiplexing data transmissions
US5550976A (en) 1992-12-08 1996-08-27 Sun Hydraulics Corporation Decentralized distributed asynchronous object oriented system and method for electronic data management, storage, and communication
US5426637A (en) 1992-12-14 1995-06-20 International Business Machines Corporation Methods and apparatus for interconnecting local area networks with wide area backbone networks
US5509070A (en) 1992-12-15 1996-04-16 Softlock Services Inc. Method for encouraging purchase of executable and non-executable software
US5410543A (en) 1993-01-04 1995-04-25 Apple Computer, Inc. Method for connecting a mobile computer to a computer network by using an address server
US5586260A (en) 1993-02-12 1996-12-17 Digital Equipment Corporation Method and apparatus for authenticating a client to a server in computer systems which support different security mechanisms
US6006090A (en) 1993-04-28 1999-12-21 Proxim, Inc. Providing roaming capability for mobile computers in a standard network
US5796727A (en) 1993-04-30 1998-08-18 International Business Machines Corporation Wide-area wireless lan access
US5446915A (en) 1993-05-25 1995-08-29 Intel Corporation Parallel processing system virtual connection method and apparatus with protection and flow control
EP0631455A1 (de) 1993-06-25 1994-12-28 Siemens Aktiengesellschaft Verfahren zum Aufrechterhalten von virtuellen Verbindungen bei einem zumindest teilweisen Ausfall von Verbindungswegen
US6249818B1 (en) 1993-06-30 2001-06-19 Compaq Computer Corporation Network transport driver interfacing
US5794207A (en) 1996-09-04 1998-08-11 Walker Asset Management Limited Partnership Method and apparatus for a cryptographically assisted commercial network system designed to facilitate buyer-driven conditional purchase offers
US5564070A (en) 1993-07-30 1996-10-08 Xerox Corporation Method and system for maintaining processing continuity to mobile computers in a wireless network
US5359593A (en) 1993-08-26 1994-10-25 International Business Machines Corporation Dynamic bandwidth estimation and adaptation for packet communications networks
US5544246A (en) 1993-09-17 1996-08-06 At&T Corp. Smartcard adapted for a plurality of service providers and for remote installation of same
US5446736A (en) 1993-10-07 1995-08-29 Ast Research, Inc. Method and apparatus for connecting a node to a wireless network using a standard protocol
US5455953A (en) 1993-11-03 1995-10-03 Wang Laboratories, Inc. Authorization system for obtaining in single step both identification and access rights of client to server directly from encrypted authorization ticket
DE4341996A1 (de) * 1993-12-09 1995-06-14 Abb Management Ag Verfahren zum Reinhalten bzw. Reinigen einer Gasturbine sowie Vorrichtung zur Durchführung des Verfahrens
US5515508A (en) 1993-12-17 1996-05-07 Taligent, Inc. Client server system and method of operation including a dynamically configurable protocol stack
US5499343A (en) 1993-12-17 1996-03-12 Taligent, Inc. Object-oriented networking system with dynamically configurable communication links
US5548723A (en) 1993-12-17 1996-08-20 Taligent, Inc. Object-oriented network protocol configuration system utilizing a dynamically configurable protocol stack
US5564016A (en) 1993-12-17 1996-10-08 International Business Machines Corporation Method for controlling access to a computer resource based on a timing policy
US5491800A (en) 1993-12-20 1996-02-13 Taligent, Inc. Object-oriented remote procedure call networking system
US5495411A (en) 1993-12-22 1996-02-27 Ananda; Mohan Secure software rental system using continuous asynchronous password verification
US5491750A (en) 1993-12-30 1996-02-13 International Business Machines Corporation Method and apparatus for three-party entity authentication and key distribution using message authentication codes
US5412654A (en) 1994-01-10 1995-05-02 International Business Machines Corporation Highly dynamic destination-sequenced destination vector routing for mobile computers
US5559800A (en) 1994-01-19 1996-09-24 Research In Motion Limited Remote control of gateway functions in a wireless data communication network
US5627821A (en) 1994-03-15 1997-05-06 Hitachi, Ltd. Defect notification method in a multipoint ATM network
US5524238A (en) 1994-03-23 1996-06-04 Breakout I/O Corporation User specific intelligent interface which intercepts and either replaces or passes commands to a data identity and the field accessed
US5553139A (en) * 1994-04-04 1996-09-03 Novell, Inc. Method and apparatus for electronic license distribution
CA2143874C (en) 1994-04-25 2000-06-20 Thomas Edward Cooper Method and apparatus for enabling trial period use of software products: method and apparatus for utilizing a decryption stub
US5757907A (en) 1994-04-25 1998-05-26 International Business Machines Corporation Method and apparatus for enabling trial period use of software products: method and apparatus for generating a machine-dependent identification
JP2826468B2 (ja) 1994-04-27 1998-11-18 日本電気 株式会社 回線切替え装置
US5574774A (en) 1994-05-04 1996-11-12 Ericsson Inc. Method and apparatus of maintaining an open communications channel between a cellular terminal and an associated cellular radio network
US5586257A (en) 1994-05-05 1996-12-17 Perlman; Stephen G. Network architecture to support multiple site real-time video games
US5594490A (en) 1994-05-23 1997-01-14 Cable Services Technologies, Inc. System for distributing video/audio files from central location to a plurality of cable headends
US5416842A (en) 1994-06-10 1995-05-16 Sun Microsystems, Inc. Method and apparatus for key-management scheme for use with internet protocols at site firewalls
US5550981A (en) 1994-06-21 1996-08-27 At&T Global Information Solutions Company Dynamic binding of network identities to locally-meaningful identities in computer networks
US5771459A (en) 1994-06-21 1998-06-23 U.S. Philips Corporation Communication system for use with stationary and second entities, via a wireless intermediate network with gateway devices, a gateway device for use with such system, and a mobile entity provided with such gateway device
US5481535A (en) 1994-06-29 1996-01-02 General Electric Company Datagram message communication service employing a hybrid network
US5557678A (en) * 1994-07-18 1996-09-17 Bell Atlantic Network Services, Inc. System and method for centralized session key distribution, privacy enhanced messaging and information distribution using a split private key public cryptosystem
US5557732A (en) 1994-08-11 1996-09-17 International Business Machines Corporation Method and apparatus for protecting software executing on a demonstration computer
US5604490A (en) 1994-09-09 1997-02-18 International Business Machines Corporation Method and system for providing a user access to multiple secured subsystems
US5490139A (en) 1994-09-28 1996-02-06 International Business Machines Corporation Mobility enabling access point architecture for wireless attachment to source routing networks
US5652789A (en) 1994-09-30 1997-07-29 Wildfire Communications, Inc. Network based knowledgeable assistant
US5602916A (en) 1994-10-05 1997-02-11 Motorola, Inc. Method and apparatus for preventing unauthorized monitoring of wireless data transmissions
US5633868A (en) 1994-10-17 1997-05-27 Lucent Technologies Inc. Virtual circuit management in cellular telecommunications
US5659544A (en) 1994-10-17 1997-08-19 Lucent Technologies Inc. Method and system for distributed control in wireless cellular and personal communication systems
US5623601A (en) 1994-11-18 1997-04-22 Milkway Networks Corporation Apparatus and method for providing a secure gateway for communication and data exchanges between networks
US5566225A (en) 1994-11-21 1996-10-15 Lucent Technologies Inc. Wireless data communications system for detecting a disabled condition and simulating a functioning mode in response to detection
US5752185A (en) 1994-11-21 1998-05-12 Lucent Technologies Inc. Disconnection management system for wireless voice communications
US5668999A (en) 1994-12-20 1997-09-16 Sun Microsystems, Inc. System and method for pre-verification of stack usage in bytecode program loops
JP3251797B2 (ja) 1995-01-11 2002-01-28 富士通株式会社 ワイヤレスlanシステム
US5682478A (en) 1995-01-19 1997-10-28 Microsoft Corporation Method and apparatus for supporting multiple, simultaneous services over multiple, simultaneous connections between a client and network server
US5604801A (en) 1995-02-03 1997-02-18 International Business Machines Corporation Public key data communications system under control of a portable security device
JPH08235114A (ja) 1995-02-28 1996-09-13 Hitachi Ltd サーバアクセス方法と課金情報管理方法
US5664007A (en) 1995-03-06 1997-09-02 Samadi; Behrokh Method and apparatus for providing continuation of a communication call across multiple networks
EP0734144A3 (de) 1995-03-20 1999-08-18 Siemens Aktiengesellschaft Verfahren und Anordnung zum Ermitteln der Benutzergebühr in einer Teilnehmereinrichtung
US5572528A (en) 1995-03-20 1996-11-05 Novell, Inc. Mobile networking method and apparatus
US5666501A (en) 1995-03-30 1997-09-09 International Business Machines Corporation Method and apparatus for installing software
US5689708A (en) 1995-03-31 1997-11-18 Showcase Corporation Client/server computer systems having control of client-based application programs, and application-program control means therefor
US5627892A (en) 1995-04-19 1997-05-06 General Instrument Corporation Of Delaware Data security scheme for point-to-point communication sessions
US5717737A (en) 1995-06-01 1998-02-10 Padcom, Inc. Apparatus and method for transparent wireless communication between a remote device and a host system
US6418324B1 (en) 1995-06-01 2002-07-09 Padcom, Incorporated Apparatus and method for transparent wireless communication between a remote device and host system
US5592549A (en) 1995-06-15 1997-01-07 Infosafe Systems, Inc. Method and apparatus for retrieving selected information from a secure information source
US5657390A (en) 1995-08-25 1997-08-12 Netscape Communications Corporation Secure socket layer application program apparatus and method
US5657452A (en) 1995-09-08 1997-08-12 U.S. Robotics Corp. Transparent support of protocol and data compression features for data communication
US5682534A (en) 1995-09-12 1997-10-28 International Business Machines Corporation Transparent local RPC optimization
US5623600A (en) 1995-09-26 1997-04-22 Trend Micro, Incorporated Virus detection and removal apparatus for computer networks
US5758186A (en) 1995-10-06 1998-05-26 Sun Microsystems, Inc. Method and apparatus for generically handling diverse protocol method calls in a client/server computer system
US5729734A (en) 1995-11-03 1998-03-17 Apple Computer, Inc. File privilege administration apparatus and methods
AU1122997A (en) 1995-11-07 1997-06-11 Cadis, Inc. Search engine for remote object oriented database management system
US6112085A (en) 1995-11-30 2000-08-29 Amsc Subsidiary Corporation Virtual network configuration and management system for satellite communication system
US5732074A (en) 1996-01-16 1998-03-24 Cellport Labs, Inc. Mobile portable wireless communication system
US5721818A (en) 1996-01-25 1998-02-24 Apple Computer, Inc. Method and system for enabling a file server to service multiple networks of the same network protocol family by invoking multiple instances of a network session protocol
US5889816A (en) 1996-02-02 1999-03-30 Lucent Technologies, Inc. Wireless adapter architecture for mobile computing
US5856974A (en) 1996-02-13 1999-01-05 Novell, Inc. Internetwork address mapping gateway
US5754774A (en) 1996-02-15 1998-05-19 International Business Machine Corp. Client/server communication system
US5673322A (en) 1996-03-22 1997-09-30 Bell Communications Research, Inc. System and method for providing protocol translation and filtering to access the world wide web from wireless or low-bandwidth networks
US5784643A (en) 1996-03-28 1998-07-21 International Business Machines Corporation System incorporating program for intercepting and interpreting or altering commands for generating I/O activity for enabling real-time user feedback by sending substitute characters to modem
GB2313524A (en) 1996-05-24 1997-11-26 Ibm Providing communications links in a computer network
US5742757A (en) 1996-05-30 1998-04-21 Mitsubishi Semiconductor America, Inc. Automatic software license manager
EP0851628A1 (de) 1996-12-23 1998-07-01 ICO Services Ltd. Schlüsselverteilung für mobiles Funknetz
US5740361A (en) 1996-06-03 1998-04-14 Compuserve Incorporated System for remote pass-phrase authentication
US6058250A (en) 1996-06-19 2000-05-02 At&T Corp Bifurcated transaction system in which nonsensitive information is exchanged using a public network connection and sensitive information is exchanged after automatically configuring a private network connection
US5909431A (en) 1996-06-28 1999-06-01 At&T Corp. Packet mode multimedia conferencing services over an ISDN wide area network
US6088451A (en) 1996-06-28 2000-07-11 Mci Communications Corporation Security system and method for network element access
US5748897A (en) 1996-07-02 1998-05-05 Sun Microsystems, Inc. Apparatus and method for operating an aggregation of server computers using a dual-role proxy server computer
US5812671A (en) 1996-07-17 1998-09-22 Xante Corporation Cryptographic communication system
US5848064A (en) 1996-08-07 1998-12-08 Telxon Corporation Wireless software upgrades with version control
US5944791A (en) 1996-10-04 1999-08-31 Contigo Software Llc Collaborative web browser
JP3492865B2 (ja) 1996-10-16 2004-02-03 株式会社東芝 移動計算機装置及びパケット暗号化認証方法
JPH10178421A (ja) 1996-10-18 1998-06-30 Toshiba Corp パケット処理装置、移動計算機装置、パケット転送方法及びパケット処理方法
US6101543A (en) 1996-10-25 2000-08-08 Digital Equipment Corporation Pseudo network adapter for frame capture, encapsulation and encryption
JP3651721B2 (ja) 1996-11-01 2005-05-25 株式会社東芝 移動計算機装置、パケット処理装置及び通信制御方法
US5974151A (en) 1996-11-01 1999-10-26 Slavin; Keith R. Public key cryptographic system having differential security levels
US6131116A (en) 1996-12-13 2000-10-10 Visto Corporation System and method for globally accessing computer services
US5987611A (en) 1996-12-31 1999-11-16 Zone Labs, Inc. System and methodology for managing internet access on a per application basis for client computers connected to the internet
US6055575A (en) 1997-01-28 2000-04-25 Ascend Communications, Inc. Virtual private network system and method
US5923756A (en) * 1997-02-12 1999-07-13 Gte Laboratories Incorporated Method for providing secure remote command execution over an insecure computer network
WO1998038762A2 (en) 1997-02-26 1998-09-03 Siebel Systems, Inc. Determining visibility to a remote database client
US6161123A (en) 1997-05-06 2000-12-12 Intermec Ip Corporation Providing reliable communication over an unreliable transport layer in a hand-held device using a persistent session
US6166729A (en) 1997-05-07 2000-12-26 Broadcloud Communications, Inc. Remote digital image viewing system and method
US6154461A (en) 1997-05-14 2000-11-28 Telxon Corporation Seamless roaming among multiple networks
US6201962B1 (en) 1997-05-14 2001-03-13 Telxon Corporation Seamless roaming among multiple networks including seamless transitioning between multiple devices
US6091951A (en) 1997-05-14 2000-07-18 Telxon Corporation Seamless roaming among multiple networks
US5968176A (en) 1997-05-29 1999-10-19 3Com Corporation Multilayer firewall system
US5935212A (en) 1997-08-07 1999-08-10 I-Planet, Inc. Connection-oriented session emulation
US6681017B1 (en) 1997-09-03 2004-01-20 Lucent Technologies Inc. Simplified secure shared key establishment and data delivery protocols for electronic commerce
US6023724A (en) 1997-09-26 2000-02-08 3Com Corporation Apparatus and methods for use therein for an ISDN LAN modem that displays fault information to local hosts through interception of host DNS request messages
US9197599B1 (en) 1997-09-26 2015-11-24 Verizon Patent And Licensing Inc. Integrated business system for web based telecommunications management
US6256739B1 (en) 1997-10-30 2001-07-03 Juno Online Services, Inc. Method and apparatus to determine user identity and limit access to a communications network
US6725376B1 (en) * 1997-11-13 2004-04-20 Ncr Corporation Method of using an electronic ticket and distributed server computer architecture for the same
US6085247A (en) 1998-06-08 2000-07-04 Microsoft Corporation Server operating system for supporting multiple client-server sessions and dynamic reconnection of users to previous sessions using different computers
DE69840658D1 (de) 1997-11-14 2009-04-23 Microsoft Corp Serverbetriebssystem zur Unterstützung von mehreren Client-Serverssitzungen und dynamischer Wiederverbindung der Benutzer an vorhergehenden Sitzungen
GB2331659A (en) * 1997-11-21 1999-05-26 Ericsson Telefon Ab L M Resource reservation
US6230004B1 (en) 1997-12-01 2001-05-08 Telefonaktiebolaget Lm Ericsson Remote procedure calls using short message service
US6170075B1 (en) 1997-12-18 2001-01-02 3Com Corporation Data and real-time media communication over a lossy network
US5870412A (en) 1997-12-12 1999-02-09 3Com Corporation Forward error correction system for packet based real time media
EP1040611B1 (de) 1997-12-12 2002-06-05 3Com Corporation Ein vorwärtsfehlerkorrektionssystem für packetbasierte echtzeitmedien
US6145109A (en) 1997-12-12 2000-11-07 3Com Corporation Forward error correction system for packet based real time media
FR2773935A1 (fr) 1998-01-19 1999-07-23 Canon Kk Procedes de communication entre systemes informatiques et dispositifs les mettant en oeuvre
US6226750B1 (en) 1998-01-20 2001-05-01 Proact Technologies Corp. Secure session tracking method and system for client-server environment
US6147986A (en) 1998-03-06 2000-11-14 Lucent Technologies Inc. Address updating of wireless mobile terminal hosts affiliated with a wired network
US6415329B1 (en) 1998-03-06 2002-07-02 Massachusetts Institute Of Technology Method and apparatus for improving efficiency of TCP/IP protocol over high delay-bandwidth network
US6199113B1 (en) 1998-04-15 2001-03-06 Sun Microsystems, Inc. Apparatus and method for providing trusted network security
US6289461B1 (en) 1998-06-09 2001-09-11 Placeware, Inc. Bi-directional process-to-process byte stream protocol
US6243753B1 (en) 1998-06-12 2001-06-05 Microsoft Corporation Method, system, and computer program product for creating a raw data channel form an integrating component to a series of kernel mode filters
EP1005779B1 (de) 1998-06-19 2008-03-12 Juniper Networks, Inc. Vorrichtung zur weiterleitung von ip-paketen und zur vermittlung von atm-zellen
US6564320B1 (en) * 1998-06-30 2003-05-13 Verisign, Inc. Local hosting of digital certificate services
US6360265B1 (en) 1998-07-08 2002-03-19 Lucent Technologies Inc. Arrangement of delivering internet protocol datagrams for multimedia services to the same server
US6269402B1 (en) 1998-07-20 2001-07-31 Motorola, Inc. Method for providing seamless communication across bearers in a wireless communication system
US6714536B1 (en) 1998-07-21 2004-03-30 Eric M. Dowling Method and apparatus for cosocket telephony
US7277424B1 (en) 1998-07-21 2007-10-02 Dowling Eric M Method and apparatus for co-socket telephony
JP3216607B2 (ja) * 1998-07-29 2001-10-09 日本電気株式会社 デジタル著作物流通システム及び方法、デジタル著作物再生装置及び方法、並びに記録媒体
US6233619B1 (en) 1998-07-31 2001-05-15 Unisys Corporation Virtual transport layer interface and messaging subsystem for high-speed communications between heterogeneous computer systems
US6094423A (en) 1998-08-03 2000-07-25 Motorola, Inc. Wireless protocol method and apparatus supporting transaction requests with variable length responses
US6226618B1 (en) 1998-08-13 2001-05-01 International Business Machines Corporation Electronic content delivery system
US6308281B1 (en) 1998-09-02 2001-10-23 International Business Machines Corporation Virtual client to gateway connection over multiple physical connections
US6574239B1 (en) 1998-10-07 2003-06-03 Eric Morgan Dowling Virtual connection of a remote unit to a server
US6484206B2 (en) 1998-10-07 2002-11-19 Nortel Networks Limited Efficient recovery of multiple connections in a communication network
US7136645B2 (en) 1998-10-09 2006-11-14 Netmotion Wireless, Inc. Method and apparatus for providing mobile and other intermittent connectivity in a computing environment
US6546425B1 (en) 1998-10-09 2003-04-08 Netmotion Wireless, Inc. Method and apparatus for providing mobile and other intermittent connectivity in a computing environment
JP2000125029A (ja) 1998-10-12 2000-04-28 Matsushita Electric Ind Co Ltd 網制御装置
US6266418B1 (en) 1998-10-28 2001-07-24 L3-Communications Corporation Encryption and authentication methods and apparatus for securing telephone communications
EP1125415B1 (de) 1998-11-02 2006-01-25 Airbiquity Inc. Geo-räumliche adressierung zum internet-protokoll
US6449651B1 (en) 1998-11-19 2002-09-10 Toshiba America Information Systems, Inc. System and method for providing temporary remote access to a computer
JP2000242589A (ja) 1999-02-25 2000-09-08 Mitsubishi Electric Corp データ転送制御コンピュータシステム
US6892308B1 (en) * 1999-04-09 2005-05-10 General Instrument Corporation Internet protocol telephony security architecture
US6421768B1 (en) * 1999-05-04 2002-07-16 First Data Corporation Method and system for authentication and single sign on using cryptographically assured cookies in a distributed computer environment
EP1179244B1 (de) 1999-05-21 2006-07-05 International Business Machines Corporation Verfahren und vorrichtung zum initialisieren von sicheren verbindungen zwischen und nur zwischen zueinandergehörenden schnurlosen einrichtungen
US6289450B1 (en) 1999-05-28 2001-09-11 Authentica, Inc. Information security architecture for encrypting documents for remote access while maintaining access control
US6691232B1 (en) * 1999-08-05 2004-02-10 Sun Microsystems, Inc. Security architecture with environment sensitive credential sufficiency evaluation
US6609198B1 (en) * 1999-08-05 2003-08-19 Sun Microsystems, Inc. Log-on service providing credential level change without loss of session continuity
US6826696B1 (en) * 1999-10-12 2004-11-30 Webmd, Inc. System and method for enabling single sign-on for networked applications
US7587467B2 (en) 1999-12-02 2009-09-08 Western Digital Technologies, Inc. Managed peer-to-peer applications, systems and methods for distributed data access and storage
US7917628B2 (en) 1999-12-02 2011-03-29 Western Digital Technologies, Inc. Managed peer-to-peer applications, systems and methods for distributed data access and storage
US7315948B1 (en) * 1999-12-10 2008-01-01 International Business Machines Corporation Time stamping method employing a separate ticket and stub
US20020010866A1 (en) 1999-12-16 2002-01-24 Mccullough David J. Method and apparatus for improving peer-to-peer bandwidth between remote networks by combining multiple connections which use arbitrary data paths
JP2001201543A (ja) * 2000-01-18 2001-07-27 Rooran:Kk スキャン・パス構築用プログラムを記録した記録媒体とスキャン・パスの構築方法及びこのスキャン・パスを組み込んだ演算処理システム
US6496520B1 (en) 2000-01-21 2002-12-17 Broadcloud Communications, Inc. Wireless network system and method
US7113994B1 (en) * 2000-01-24 2006-09-26 Microsoft Corporation System and method of proxy authentication in a secured network
JP3630065B2 (ja) 2000-03-03 2005-03-16 株式会社村田製作所 セラミックグリーンシートの製造方法及びセラミックグリーンシート製造装置
US7065547B2 (en) 2000-03-09 2006-06-20 Persels Conrad G Integrated on-line system with enchanced data transfer protocol
US6845387B1 (en) 2000-04-07 2005-01-18 Advanced Digital Information Corporation Creating virtual private connections between end points across a SAN
IL135555A0 (en) * 2000-04-09 2001-05-20 Vidius Inc Preventing unauthorized access to data sent via computer networks
US6671729B1 (en) 2000-04-13 2003-12-30 Lockheed Martin Corporation Autonomously established secure and persistent internet connection and autonomously reestablished without user intervention that connection if it lost
US6766373B1 (en) 2000-05-31 2004-07-20 International Business Machines Corporation Dynamic, seamless switching of a network session from one connection route to another
US7010300B1 (en) 2000-06-15 2006-03-07 Sprint Spectrum L.P. Method and system for intersystem wireless communications session hand-off
US9038170B2 (en) * 2000-07-10 2015-05-19 Oracle International Corporation Logging access system events
US7260638B2 (en) 2000-07-24 2007-08-21 Bluesocket, Inc. Method and system for enabling seamless roaming in a wireless network
US6874086B1 (en) 2000-08-10 2005-03-29 Oridus, Inc. Method and apparatus implemented in a firewall for communicating information between programs employing different protocols
US6996631B1 (en) 2000-08-17 2006-02-07 International Business Machines Corporation System having a single IP address associated with communication protocol stacks in a cluster of processing systems
JP2004509539A (ja) 2000-09-12 2004-03-25 ネットモーション ワイヤレス インコーポレイテッド コンピュータ環境におけるモバイル他の断続的接続性を提供する方法および装置
AU2002213355A1 (en) 2000-10-17 2002-04-29 Broadcloud Communications, Inc. Wireless asp systems and methods
US6697377B1 (en) 2000-10-21 2004-02-24 Innomedia Pte Ltd. Method for communicating audio data in a packet switched network
US8996698B1 (en) 2000-11-03 2015-03-31 Truphone Limited Cooperative network for mobile internet access
US7322040B1 (en) * 2001-03-27 2008-01-22 Microsoft Corporation Authentication architecture
US7136364B2 (en) 2001-03-29 2006-11-14 Intel Corporation Maintaining a reliable link
US20020150253A1 (en) * 2001-04-12 2002-10-17 Brezak John E. Methods and arrangements for protecting information in forwarded authentication messages
US20030041175A2 (en) 2001-05-03 2003-02-27 Singhal Sandeep K Method and System for Adapting Short-Range Wireless Access Points for Participation in a Coordinated Networked Environment
US6925481B2 (en) 2001-05-03 2005-08-02 Symantec Corp. Technique for enabling remote data access and manipulation from a pervasive device
US7224979B2 (en) 2001-05-03 2007-05-29 Symantec Corporation Location-aware service proxies in a short-range wireless environment
US6947444B2 (en) 2001-06-06 2005-09-20 Ipr Licensing, Inc. Method and apparatus for improving utilization efficiency of wireless links for web-based applications
US7100200B2 (en) 2001-06-13 2006-08-29 Citrix Systems, Inc. Method and apparatus for transmitting authentication credentials of a user across communication sessions
US7698381B2 (en) * 2001-06-20 2010-04-13 Microsoft Corporation Methods and systems for controlling the scope of delegation of authentication credentials
US7287156B2 (en) * 2001-06-29 2007-10-23 International Business Machines Corporation Methods, systems and computer program products for authentication between clients and servers using differing authentication protocols
US6832260B2 (en) 2001-07-26 2004-12-14 International Business Machines Corporation Methods, systems and computer program products for kernel based transaction processing
AUPR797501A0 (en) 2001-09-28 2001-10-25 BlastMedia Pty Limited A method of displaying content
US6993652B2 (en) * 2001-10-05 2006-01-31 General Instrument Corporation Method and system for providing client privacy when requesting content from a public server
US20030084165A1 (en) 2001-10-12 2003-05-01 Openwave Systems Inc. User-centric session management for client-server interaction using multiple applications and devices
US20030078983A1 (en) 2001-10-23 2003-04-24 Sullivan Terence Sean Message prioritization and buffering in a limited network
US20030078985A1 (en) 2001-10-23 2003-04-24 David Holbrook Proactive message buffering across intermittent network connections
US7042879B2 (en) 2001-11-02 2006-05-09 General Instrument Corporation Method and apparatus for transferring a communication session
US7181620B1 (en) * 2001-11-09 2007-02-20 Cisco Technology, Inc. Method and apparatus providing secure initialization of network devices using a cryptographic key distribution approach
US7028183B2 (en) 2001-11-13 2006-04-11 Symantec Corporation Enabling secure communication in a clustered or distributed architecture
KR100436435B1 (ko) 2001-12-26 2004-06-16 한국전자통신연구원 유무선 통합망에서 간접 승인을 이용한 패킷 전송 장치 및그 방법
US7661129B2 (en) 2002-02-26 2010-02-09 Citrix Systems, Inc. Secure traversal of network components
JP4315696B2 (ja) 2002-03-29 2009-08-19 富士通株式会社 ホスト端末エミュレーションプログラム、中継用プログラムおよびホスト端末エミュレーション方法
US7080404B2 (en) 2002-04-01 2006-07-18 Microsoft Corporation Automatic re-authentication
US7467214B2 (en) 2003-06-20 2008-12-16 Motorola, Inc. Invoking protocol translation in a multicast network
US7532640B2 (en) 2003-07-02 2009-05-12 Caterpillar Inc. Systems and methods for performing protocol conversions in a machine

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20010000358A1 (en) * 1998-06-12 2001-04-19 Kousei Isomichi Gateway system and recording medium
WO2001015377A1 (en) * 1999-08-23 2001-03-01 Encommerce, Inc. Multi-domain access control
WO2001074026A1 (de) * 2000-03-27 2001-10-04 E-Plus Mobilfunk Gmbh & Co. Kg Kundenidentifizierungsverfahren für personalisierbare internet portale auf basis der rufnummer

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
See also references of WO03073216A2 *

Also Published As

Publication number Publication date
AU2003231961C1 (en) 2010-01-14
AU2003231961A1 (en) 2003-09-09
EP1483680B1 (de) 2010-11-24
WO2003073216A3 (en) 2003-12-31
US20030163569A1 (en) 2003-08-28
AU2003231961B2 (en) 2009-07-02
DE60335085D1 (de) 2011-01-05
JP2005518595A (ja) 2005-06-23
ATE489679T1 (de) 2010-12-15
IL163623A0 (en) 2005-12-18
WO2003073216A2 (en) 2003-09-04
US7661129B2 (en) 2010-02-09
CA2476534A1 (en) 2003-09-04
KR20040089648A (ko) 2004-10-21
EP1483680A4 (de) 2008-12-17

Similar Documents

Publication Publication Date Title
US7661129B2 (en) Secure traversal of network components
EP1332599B1 (de) System und verfahren zur sicherung eines unsicheren kommunikationskanals
US7984157B2 (en) Persistent and reliable session securely traversing network components using an encapsulating protocol
US7287271B1 (en) System and method for enabling secure access to services in a computer network
US6766454B1 (en) System and method for using an authentication applet to identify and authenticate a user in a computer network
KR100872099B1 (ko) 컴퓨터 그리드에 대한 싱글-사인-온 액세스를 위한 방법 및시스템
CA2341213C (en) System and method for enabling secure access to services in a computer network
KR100800339B1 (ko) 제휴 환경에서 사용자에 의해 결정된 인증 및 단일 사인온을 위한 방법 및 시스템
AU2002235149A1 (en) System and method for securing a non-secure communication channel
US20030163694A1 (en) Method and system to deliver authentication authority web services using non-reusable and non-reversible one-time identity codes
US6785729B1 (en) System and method for authorizing a network user as entitled to access a computing node wherein authenticated certificate received from the user is mapped into the user identification and the user is presented with the opprtunity to logon to the computing node only after the verification is successful
Jeong et al. An XML-based single sign-on scheme supporting mobile and home network service environments
Jeong et al. A study on the xml-based single sign-on system supporting mobile and ubiquitous service environments
Norris Milton et al. Web Service Security

Legal Events

Date Code Title Description
PUAI Public reference made under article 153(3) epc to a published international application that has entered the european phase

Free format text: ORIGINAL CODE: 0009012

17P Request for examination filed

Effective date: 20031125

AK Designated contracting states

Kind code of ref document: A2

Designated state(s): AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HU IE IT LI LU MC NL PT SE SI SK TR

AX Request for extension of the european patent

Extension state: AL LT LV MK RO

A4 Supplementary search report drawn up and despatched

Effective date: 20081114

RIC1 Information provided on ipc code assigned before grant

Ipc: H04L 29/06 20060101ALI20081110BHEP

Ipc: G06F 15/16 20060101AFI20040929BHEP

17Q First examination report despatched

Effective date: 20090408

GRAP Despatch of communication of intention to grant a patent

Free format text: ORIGINAL CODE: EPIDOSNIGR1

GRAS Grant fee paid

Free format text: ORIGINAL CODE: EPIDOSNIGR3

GRAA (expected) grant

Free format text: ORIGINAL CODE: 0009210

AK Designated contracting states

Kind code of ref document: B1

Designated state(s): AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HU IE IT LI LU MC NL PT SE SI SK TR

REG Reference to a national code

Ref country code: GB

Ref legal event code: FG4D

REG Reference to a national code

Ref country code: CH

Ref legal event code: EP

REG Reference to a national code

Ref country code: IE

Ref legal event code: FG4D

REF Corresponds to:

Ref document number: 60335085

Country of ref document: DE

Date of ref document: 20110105

Kind code of ref document: P

REG Reference to a national code

Ref country code: NL

Ref legal event code: VDEP

Effective date: 20101124

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: AT

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20101124

Ref country code: NL

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20101124

Ref country code: SI

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20101124

Ref country code: BG

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20110224

Ref country code: SE

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20101124

Ref country code: PT

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20110324

Ref country code: CY

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20101124

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: GR

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20110225

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: EE

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20101124

Ref country code: CZ

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20101124

Ref country code: BE

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20101124

Ref country code: ES

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20110307

PGFP Annual fee paid to national office [announced via postgrant information from national office to epo]

Ref country code: ES

Payment date: 20110222

Year of fee payment: 9

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: DK

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20101124

Ref country code: SK

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20101124

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: MC

Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES

Effective date: 20110228

PLBE No opposition filed within time limit

Free format text: ORIGINAL CODE: 0009261

REG Reference to a national code

Ref country code: CH

Ref legal event code: PL

STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: NO OPPOSITION FILED WITHIN TIME LIMIT

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: LI

Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES

Effective date: 20110228

Ref country code: CH

Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES

Effective date: 20110228

26N No opposition filed

Effective date: 20110825

REG Reference to a national code

Ref country code: DE

Ref legal event code: R097

Ref document number: 60335085

Country of ref document: DE

Effective date: 20110825

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: IT

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20101124

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: LU

Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES

Effective date: 20110221

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: TR

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20101124

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: HU

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20101124

REG Reference to a national code

Ref country code: FR

Ref legal event code: PLFP

Year of fee payment: 14

REG Reference to a national code

Ref country code: FR

Ref legal event code: PLFP

Year of fee payment: 15

REG Reference to a national code

Ref country code: FR

Ref legal event code: PLFP

Year of fee payment: 16

PGFP Annual fee paid to national office [announced via postgrant information from national office to epo]

Ref country code: IE

Payment date: 20220121

Year of fee payment: 20

Ref country code: GB

Payment date: 20220119

Year of fee payment: 20

Ref country code: FI

Payment date: 20220118

Year of fee payment: 20

Ref country code: DE

Payment date: 20220119

Year of fee payment: 20

PGFP Annual fee paid to national office [announced via postgrant information from national office to epo]

Ref country code: FR

Payment date: 20220120

Year of fee payment: 20

REG Reference to a national code

Ref country code: DE

Ref legal event code: R071

Ref document number: 60335085

Country of ref document: DE

REG Reference to a national code

Ref country code: GB

Ref legal event code: PE20

Expiry date: 20230220

REG Reference to a national code

Ref country code: IE

Ref legal event code: MK9A

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: IE

Free format text: LAPSE BECAUSE OF EXPIRATION OF PROTECTION

Effective date: 20230221

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: GB

Free format text: LAPSE BECAUSE OF EXPIRATION OF PROTECTION

Effective date: 20230220